Some Oracle databases have what specialists say is a serious error in the login system that a hacker can use to recover & modify stored data.
The flaw, in Oracle Database 11g Releases 1 and 2Ã’Â leaves the token that is offered by the server before verification is finished open to a brute-force attack, said Esteban Martinez Fayo, the request Security investigator that discovered the flaw. If victorious, an attacker can increase access to the database.
“A verification bypass is pretty serious,” Kevin Mitnick, a famous white-hat hacker & founder of Mitnick Security Consulting, said in an email. “Basically, an attacker can find to the data stored in the database & even change it.”
The susceptibility stems from the way the verification procedure protects session keys. When customers connect to the database server, a session key is sent with a salty. Because this happens before the confirmation procedure is completed, a hacker working remotely can connect the key to an exact password hash.
Oracle http://www.testbells.com/vendor/Oracle which did not react to ask for remark, patched the flaw in the newest upgrade of the verification protocol, version 12. However, the corporation is not preparation a patch for the flawed edition, 11.1, Fayo said. Even with the upgrade, database administrators have to arrange the server to only permit the latest version of the protocol.